A serious security vulnerability has been discovered in Apple's Safari browser. A software bug allows websites to read users' online activities and even reveal their identities. Safari users should currently use a different browser.

The vulnerability in Safari 15, the current version of the Apple browser, was discovered by the security company FingerprintJS and reported to Apple on November 28, 2021. To date, the serious bug in the browser has not yet been fixed, reports the website The Hacker News . A flaw in the implementation of the IndexedDB API means that users' online activities can be read and even their identities can be revealed. This can make them easy targets for scams and phishing attacks.

Short digression: IndexedDB and Same-Origin-Policy

The IndexedDB is an API provided by web browsers to manage a NoSQL database with structured data objects. Like most other storage solutions on the web, IndexedDB follows the same-origin policy . This states that you have access to stored data within a domain. However, access is generally not possible across different domains.

The same-origin policy is a fundamental security mechanism that ensures that resources accessed from different origins are isolated from one another. Resource isolation is intended to make it more difficult for malicious scripts to gain access to data from other domains.

Safari violates the same-origin policy

The current problem with Safari is that the IndexedDB API violates the same-origin policy. A bug ensures that every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session, explains FingerprintJS's Martin Bajanik . This error enables websites to read which other websites a Safari user is visiting.

Another big problem: If the user visits the website of a Google service such as YouTube, the authenticated Google user ID, which can be used to uniquely identify a Google account, is also stored in the database created.

The bug allows malicious websites and scripts to build a user's browsing profile, reveal a user's identity, and possibly even link multiple accounts used by the user. This makes spied users easy targets for phishing and scam emails.

You can do this against the security gap

Unfortunately, the data leak in Safari cannot be circumvented by using private surfing mode. We currently recommend that you refrain from using Safari on macOS and iOS or iPadOS until Apple closes the security gap in its own browser.